WhatsApp Security: make this change right now!

Security researchers found a backdoor in the popular messaging application WhatsApp recently that could allow WhatsApp to intercept and read user messages.

Facebook, the owner of WhatsApp, claims that it is impossible to intercept messages on WhatsApp thanks to the services end-to-end encryption. The company states that no one, not even itself, can read what is sent when both sender and recipient use the latest version of the application.

WhatsApp’s end-to-end encryption ensures only you and the person you’re communicating with can read what is sent, and nobody in between, not even WhatsApp. Your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read your message. For added protection, every message you send has a unique lock and key. All of this happens automatically: no need to turn on settings or set up special secret chats to secure your messages.

It turns out however that there is a way for WhatsApp to read user messages, as security researcher Tobias Boelter found out.

WhatsApp has the power to generate new encryption keys for users who are not online. Both the sender and the recipient of messages are not made aware of that, and the sender would send any message not yet delivered again by using the new encryption key to protect the messages from third-party access.

The recipient of the message is not made aware of that. The sender, only if Whatsapp is configured to display security notifications. This option is however not enabled by default.

While WhatsApp users cannot block the company — or any state actors requesting data — from taking advantage of the loophole, they can at least activate security notifications in the application.

The security researcher reported the vulnerability to Facebook in April 2016 according to The Guardian. Facebook’s response was that it was “intended behavior” according to the newspaper.